US ARMY CRIMINAL INVESTIGATION COMMAND COMPUTER CRIME INVESTIGATIVE UNIT 



DIGITAL FORENSIC EXAMINATION NOTES 



Date/Time 


Action 


Result 


25 Apr 11, 1000 


Consolidated and edited keyword list for 
maximum search coverage/efficiency 


183 keywords 


1200 


Transferred images and keyword files to 
forensic macnine using iviicrororensics 
Evidence Mover vl.1.17 


Transfers successful 


26 Apr 11, 0730 

• 


Prepped forensic machine for operations 


Successfully updated Symantec Endpoint 
Protection and Windows Defender. Windows 
not updated at this time due to internal 
network being down. Lack of windows 

imrlaT^c will n^t aH'worcolw aff^^t thit 
ufjuoica win nui duvcibciy diicLL nils 

PYaminatinn 

i".U 1 1 1 1 1 Lu 1 1 \J 1 1 • 


0910 


Conducted full AVS scan of forensic machine 

with ^umsntpc Fndrviiiif PrfitPrfinn 

VV 1 11 1 J y 1 1 IC3 1 1 ItL L 1 IU LJVJ II IL 1 1 U I CTi_ L 1 U 1 1 

vll.0.6100.645 (Def: Aprii 25, 2011 r2) 


No potential threats identified. 


1433 


Ensured all HOUSE media properly added to 
EnCase case file (0018-11- 
CID361_HOUSE.case) 


Added USB storage key image, 8gb sd card 
image, HOUSE'S netbook image, and contents 
of cell phone dump (as single files) 


1437 


Ran 7\\ itnmafpri Fnf~ a<;p <;p^rrh fnr prnail 

IMJII OUIUII IO Lt \J L 1 1 VQJV JLO 1 l_ I 1 \\J\ CIIIC3II 


Mnnp f n i inH 


1438 


Ran EnCase condition to located potential 
email archive files (.PST, .OST, .MBOX, .EDB) 


No email located 


1443 


Ran FnCa^p "Filp Mnuntpr" pnsrrint tn mnunt 

IlLlll l_ ■ 1 X— U JV_ » III— IVIUUI lltl til JUJ 1 IJ L LU 11 lUUI IL 

identified compound files by file extension 


Flip fWlmmfpr Fn^rrint ^tart'Pfi 

1 1 1 ET IVIUU 1 1 ICI LIIJLI IUL JlQI LC^T 

Processing 882 Files 
77 file(s) mounted 

File Mounter EnScript completed in 234 
Seconds 


1445 


Added keyword list to EnCase and set proper 
GREP flags where applicable, and made 
additional edits 


N/A 



Case#| 

Evidence T agtf N/A 
Examiner: _ 

Subject/Evidence Description: Data seized by ICE from HOUSE and| 



at the U.S. Border 
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1455 


Fxnnrtprl Itpvv/unrrl^ 


■J K-M V- J J 1 LI 1 


1457 


Began hash analysis of all files in case using 
"Hash Set - NIST" and USACIL^"5-NSRL" 
hashsetsto identify known files 


Status: Completed 

Start: 26-Apr-ll 15:53:35 

StOD" 26-ADr-ll L6'02"22 

Time: 0:08:47 

Files: 337,376 

Hash values: 337,187 


27 Apr 11. 0654 


Ran "Fast Find Uniq je Files by Hash" EnCase 
filter. Sorted by "Hash Category" to eliminate 
"Known" system files from search. 


106638 unique files of 337376 total files 
remained after filter. 103390 files remaining 
after selection of unique non-"Known" files 


0700 


Searched remaining unique files for keywords 
through "B" (38 total) 


Status: Completed 
Start - 27-Anr-11 n7 , f)5 , 57 
Stop: 27-Apr-ll 07:55:59 
Time: 0:50:02 
Files: 103,390 
Records: 
Search Hits: 80,245 
Added Search Hits: 80,234 


0800 


Searched remaining unique files for keywords 
from "D" through "G" (42 total) 


Status: Completed 
Start* 27-Aor-ll 080l'50 
Stop: 27-Apr-l 108:34:27 
Time: 0:32:37 
Files: 103,390 
Records: 
Search Hits: 125,796 
Added Search Hits: 125,781 


0906 


Searched remaining unique files for keywords 
from "H" through "M" (43 total) 


Status; Completed 
Start: 27-Apr-ll 09:07:35 
Stop: 27-Apr-ll 09:21:04 



Case* 

Evidence Tag# N/A 
Examiner:^ 

Subject/Evidence Description: Data seized by ICE from HOUSE and| 



at the U.S. Border 



Page 2 of 11 



LAW ENFORCEMENT SENSITIVE - FOR OFFICIAL USE ONLY 



Initials 




US ARMY CRIMINAL INVESTIGATION COMMAND COMPUTER CRIME INVESTIGATIVE UNIT 



DIGITAL FORENSIC EXAMINATION NOTES 







Time: 0:13:29 
Files: 103,390 
Records: 
Search Hits: 73,992 
Added Search Hits: 73,992 


1005 


Searched remaining unique files for keywords 
from "N" through "I" (60 total] 


Status: Completed 
Start - 27-Aor-ll 10 0516 
Stop: 27-Apr-ll 10:20:49 
Timp- n>m*w 

Files: 103,390 

Records: 

Search Hits; 247,703 

Added Search Hits: 246,278 


1230 


Ran "Show one hit per file" filter 


26,148 total files/objects identified as 
Dotentiallv resoonsive to the kevword list 




1322 


Ran automated Encase search for email 


Identified 802608 email objects displayed in 
the EnCase records view. Due to pathing 
issues, will keyword search email messages in 
EnCase instead of exporting. 


1445 


Ran EnCase "File Mounter" enscript to mount 


File Mounter EnScript Started 




identified compound files by file extension, 


Processing 27614 Files 




excluding email data (total: 1451279 files) 


23394 file(s) mounted 






File Mounter EnScript completed in 432 






Seconds 


1500 




N/A 



Casel 

Evidence Tag# N/A 
Examiner: 

Subject/Evidence Description: Data seized by ICE from HOUSE and| 



at the U.S. Border 
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Began hash analysis of all files in case using 
"Hash Set-NIST" and USACIL->"5-NSRL" 
hashsets to identify known files 


Status: Completed 

Start: 27-Apr-ll 15:05:58 

Stop: 27-Apr-ll 15:28:42 

Time: 0:22:44 

Files- 2 254 833 

Hash values: 2,004,231 


28 April 11-4 May 11 


Examiner on bereavement leave 










1246 


Examined keyword hits for HOUSE USB Key 
Storage device 


Nothing of evidentiary value found. 


1313 


Examined keyword hits for HOUSE 8gb SD 
Card 


Nothing of evidentiary value found. Device 
appears to have been encrypted with 
unknown technique/tool. 


1315 


Examined keyword hits for HOUSE UFED 
fSinele Files) data 


9 potentially pertinent files located and 
bookmarked 




1355 


Began examination of keyword hits for HOUSE 
Netbook 


Finished " M "through "Attorney". 1 
potentially pertinent file identified and 



Case#M 

Evidence T agff N/A 

Examiner: | 

Subject/Evidence Description: Data seized by ICE from HOUSE and I I at the U.S. Border 
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bookmark ed. 



1300 



Continued examination of keyword nits for 
HOUSE Netbook. 



Completed list. 33 potentially pertinent files 
identified and bookmarked. 



1500 



Pertinent bookmarked files from HOUSE 
media reviewed b\ 



No pertinent data that would justify seizure by 
ICE. 



Casetf 

Evidence Tag#N/A 
Examiner: 

Subject/Evidence Description: Data seized by ICE from HOUSE and 
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Case 

Evidence Tag# N/A 
Examiner: 

Subject/ Evidence Description: Data seized by ICE from HOUSE and 
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needed for meeting with ICE at 1400. Just 
description of what, if anything, was found 
during the examinations. 




1400 


Meeting with ICE 


Demand Letter satisfied. Request to delete 
case data. Examination terminated. 



Case 

Evidence Tag# N/A 
Examiner: 

Subject/Evidence Description: Data seized by ICE from HOUSE andl 
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